Professional Documents
Culture Documents
Table of Contents
Overview ......................................................................................................................................... 4
Warning!!! ....................................................................................................................................... 6
Props -1 ......................................................................................................................................... 13
Props -2 ......................................................................................................................................... 15
Exercise ......................................................................................................................................... 17
Page 1 of 37
Summary ....................................................................................................................................... 36
Notices .......................................................................................................................................... 37
Page 2 of 37
Conducting On-site Access
Conducting On-site
Access
Page 3 of 37
Overview
Overview
Gaining On-site Access
Exploiting On-site Access
Page 4 of 37
Gaining On-site Access
Page 5 of 37
Warning!!!
Warning!!!
Never execute a physical penetration test unless
• You have the proper authorization from the proper authority
Page 6 of 37
Does anybody have questions about
that? Yes. Don't use what we're about to
teach you for bad, malicious things. All
right.
Page 7 of 37
Gaining On-Site Access -1
Page 8 of 37
policy? Do you have a lock your
workstation before you walk away, leave
it unattended? You're testing those
controls. So it is within scope of an IT
penetration test?
1. Goodchild, Joan (11 January 2010). "Social Engineering: The Basics". csoonline. Retrieved 14 January 2010.
Page 9 of 37
guard, to get on to somebody's computer,
to install UPS underneath their desk. All
right? We're going to have to talk to
people and use our social engineering skills.
Your Backstory
Your Backstory
Develop a story that gives you a reason to be there and lets
you do what you need to do
• “I’m performing a computer inventory”
• “I need to manually push some patches to “this problem machine”
• “You’re getting a new keyboard, can I install it for you..” (e.g., your
key logger)
• “I’ve been contracted to perform a wireless assessment of this
facility”
Do not over-engineer your story, but try to make it two levels
deep
• “…who’s your boss?”
• “…what do you mean we are getting new
telephones?”
• “…your not on my list?”
Page 10 of 37
So what can your story be? Why would
you need to gain access to the IT systems
here in the building? What would be a
good story?
Page 11 of 37
So your backstory. Make sure you have a
backstory; why are you there? And make
sure it goes-- it doesn't have to be over-
engineered, it just has to be able to
withstand a "Well why are you here?
Who authorized you to be here? Who's
your point of contact?" kind of stuff.
Right? "So who's your boss?" "Well I'm a
new employee." "Well who's your boss?"
"I don't remember his name. I've only met
him twice." Right?
Page 12 of 37
Props -1
Props -1
Can add credibility to your story
• Organization Polo Shirt
— Check the local Thrift Stores.
• The “clipboard”
— No one asks questions from a person with a clipboard.
• Test Equipment
— If you say you are there to fix
the phone, you better have the
right equipment for the part.
Page 13 of 37
Mike Warren: Yes your USB sticks, your
drop disks; anything you're going to use
while you're there. Extra forms in case
you run out of space to count your
telephones. Right.
Student: Tools.
Student: Yes.
Page 14 of 37
Props -2
Props -2
The Fake Badge
• Obtain a copy or picture of a badge
• Recon what a badge looks like
• Open source research (you might get lucky)
• Capture all the detail you can
— Font and Font Size
— Images/Watermarks
— Colors
— Numbers
— Roles
+ +
0938475-093
CONTRACTOR
Your Name
=
9
Page 15 of 37
I had to go against this one credit union.
The guard was eight times my size; but
luckily he was 30 feet away. I was
walking in with everybody else and I hear
this, "Hey you, where's your badge?" So I
lifted it up, flashed it from 40 feet. He was
like, "Thanks." All right, you got me. So.
Page 16 of 37
Exercise
Exercise
How would you get past the guard…if there was one?
10
Page 17 of 37
Oh back. I guess it's gone
back the other way.
Mike Warren: All right, I need my guard
and my pen tester.
Student: Donuts?
Student: Yes.
Page 18 of 37
Mike Warren: There you go.
Page 19 of 37
Exploiting On-Site Access
Exploiting On-Site
Access
11
Page 20 of 37
Exploiting On-Site Access -1
12
Student: Yes.
Page 21 of 37
nobody's going to talk to you anyways.
It's a good spot. The break area. You
know, an open public area.
Student: Yes.
Page 22 of 37
Exploiting On-Site Access -2
13
Page 23 of 37
Is there anything in the trash? Do they
have 100% shred policy? If they do,
you're there to test to make sure anything
in the trashcan isn't of use. All right?
Page 24 of 37
Exploiting On-Site Access -3
— Like wise, elevators do not always stop on all floors, sometimes none
without a key.
• Try not to go through alarmed doors.
— It happens…
— Look for smoke pits/break areas (do not forget your props).
14
Page 25 of 37
was a problem with this alarm. Like, "It
wasn't a problem until you opened the
door." "Oh, thank you." Yes.
15
Page 26 of 37
should you do? Right, it's open. It has
shares; it has connection to the internet.
Right? You want to take as much time as
you can to enumerate what access you
have. They probably open their email; so
you have access to their email. You have
access to their internet, their share point.
Student: Do a "Boy."
Page 27 of 37
On-Site Access Tactics -2
http://www.renderlab.net/projects/sneaky/
16
Page 28 of 37
It was the headquarters audio/video
room. So we took a wireless access
point, put it above the projector, plugged it
in to a network cable. We would then sit
in the parking lot, in the snow, and
download all of our exfiltrated- or exfiltrate
all the data that we found the day before.
— “Company Proprietary”
Page 29 of 37
files. Somebody actually opens it; it's
going to come back to you and let you
know that somebody opened it.
Page 30 of 37
On-Site Access Tactics -4
18
Page 31 of 37
small but just so he could see it. So.
People will do weird things. So look
around. Never give up; you'll find it
somewhere.
• Add a user.
• Install a keylogger.
19
Page 32 of 37
Yes, so look for managed shares. Look in
My Documents and My Downloads.
Right? If you're getting stuff off a shared
point and documents are downloaded, a
plethora of interesting documents in there.
— Prove a point, do not splice the entire shred pile back together.
20
Page 33 of 37
new thing that Chris made people do.
And yes I think I still have paper cuts.
Page 34 of 37
Dangers of On-Site Access
22
Page 35 of 37
Do not run from the guys with the guns.
You're not there to test their accuracy. If
they say "Stop"; "All right, you got me.
Good." Hopefully they don't have guns.
But don't run from them.
Summary
Summary
Gaining On-site Access
Exploiting On-site Access
23
Student: Authorization.
Page 36 of 37
Mike Warren: Authorization. What else
do we have on us?
Notices
Notices
© 2012 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their
own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or
used in any other manner without requesting formal permission from the Software Engineering Institute at
permission@sei.cmu.edu.
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003
with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded
research and development center. The U.S. government's rights to use, modify, reproduce, release,
perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial
Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified
contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce
the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S.
government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND
ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF
FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,
MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
24
Page 37 of 37